On Tuesday 11 July 2006 16:43, MT wrote:
> Okay, some how I kind of got it to work. Here's my ACL's in order:
>
> access to dn.children="dc=cmcflex,dc=com"
> by users write
> by * auth
The above ACL seems a bit weird ... you probably want this 2nd-last.
>
> access to
> attrs="telephoneNumber","homePhone","homePostalAddress","userPassword"
> by users write
> by * auth
Move these attributes into their own ACL, so that you instead have:
access to
attrs=userPassword
by self write
by * auth
access to
attrs=telephoneNumber,homePhone,homePostalAddress
by users write
by * read
> access to *
> by anonymous read
You really don't want to mix ACLs for password attributes with other
attributes you want to provide read access to. And, you probably don't want
any authenticated user to be able to change the passwords of other users.
Finally, you may also consider using a group for the write ACLs, so that
simply setting a password for a user doesn't compromise your ACLs.
Regards,
Buchan
--
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)